Vitaliy Trifonov, the Creative Technical Director at Group-IB, says the aim of creating and implementing ZTNA is one that has entered the mainstream
How has the Zero Trust Network Architecture evolved since it was first coined in 2010?
On paper, zero-trust network architecture is the natural successor to the perimeter-based security model. The preceding model, which gives unfettered access to any user upon completion of initial verification is no longer fit for purpose, especially given the vast numbers of individuals now working in a remote or hybrid setting following the COVID-19 pandemic.
Zero Trust Network Architecture (ZTNA) as a concept has gained significant traction within the cybersecurity space, and more companies are beginning to implement this form of security infrastructure, although many so-called ZTNA solutions still only scratch the surface. Indeed, the strive towards ZTNA has played a major role in the wide-scale adoption of multi-factor authentication (MFA) as an industry standard, and the increasing utilization of technologies such as identity-aware proxies and software-defined perimeters is removing some of the user experience (UX) barriers that implementing ZTNA could create.
For zero trust to be effective, companies require a universal access control system that works seamlessly with all operating systems and software and can be connected and integrated anywhere. Companies must also ensure they protect against any hidden backdoors and potential supply chain attacks by regularly verifying and auditing their processes and procedures.
Do you believe that technologies that support zero trust are moving into the mainstream?
The aim of creating and implementing ZTNA is one that has entered the mainstream. However, we are still a long way from a one-size-fits-all solution that will allow businesses and organizations to establish ZTNA on their networks. Technologies that embrace ZT principles are becoming more widely available on the market, and a large number of cloud service providers have crafted products containing security features that adhere to the tenets of ZT. That being said, if companies are truly committed to implementing ZTNA, piecemeal solutions won’t work. Companies and organizations must take an all-in approach for ZT to become an industry benchmark.
Do you believe that enterprise IT departments today require a new way of thinking because the castle itself no longer exists in isolation as it once did?
The so-called castle and moat security model is dead, and it’s not coming back. Castles (companies) are now too big, their digital infrastructure is so vast, and their attack perimeter is so large, that it’s now impossible to build a moat (security perimeter) around them. According to a recent FlexJobs survey, 87% of workers are looking for jobs that will allow them to work in a remote or hybrid environment, creating endpoint security risks as individuals use personal devices for work purposes. Furthermore, password policies, firewalls, and VPNs are becoming less reliable, given that they are often based on implicit trust.
Cybercriminals, who have shown time and again that they are highly adaptive and opportunistic, are incredibly skilled at exploiting the implicit trust contained in traditional defensive measures. With ZTNA, the new perimeter starts with each endpoint. Instead of relying on IP addresses in isolation, networks with ZTNA can authenticate resources and use them individually. Microsegmentation, a central concept of establishing ZTNA, is also vital to reducing attack surfaces and hindering attackers from moving laterally across networks. In short, ZT can make companies more resilient and responsive to new attacks.
How can companies get started with zero trust?
Firstly, companies must start from the concept that ZT is a system where every person, device, file, and application is considered to be a threat until properly verified. Additionally, to establish a ZT framework, companies must adhere to three core principles: that authorization may be granted only after explicit verification, that companies must enforce a least-privileged model and limit access to a need-to-know basis, and that all traffic must be continuously inspected and logged to verify user behaviour.
ZT policy, like any cybersecurity plan, must be tailored to a business or organization’s interests and needs. For example, the introduction of multiple new solutions to meet ZT goals could in fact create new security gaps that threat actors could exploit. At Group-IB, our audit and consulting team can provide companies with all they need to evaluate their infrastructures and processes, and give them the required information to understand what their current security risks are, and how to mitigate them. A thorough audit can be an invaluable tool for companies looking to implement ZT, as it can provide a much-needed reality check along with an implementation action plan.
Industry experts have warned that cyber-attacks will be focused on techniques that zero trust controls can’t mitigate. What according to you can be done to address this?
Zero Trust may be the gold standard for cybersecurity, but it is by no means a silver bullet. Additional measures and solutions will always be required to complement any Zero Trust architecture. This includes services such as Managed Extended Detection and Response and data loss prevention solutions.
Organizations should ensure that they are up-to-date with the latest Threat Intelligence research produced by vendors, and they should conduct regular security checks, including audits, compromise assessments, and penetration testing exercises to ensure that their security perimeter can stand strong against the threats of today and tomorrow.
What according to you are the limitations of zero trust?
One of the major limitations of Zero Trust in its current form is its complexity. Introducing ZT is often associated with the complete overhaul of any established infrastructure, making the creation of ZTNA a costly and time-consuming process that, in and itself has no guarantee of success. The human factor has and will continue, to play a crucial role in successful cyber attacks. Cybercriminals will continue to turn to social engineering ploys to gain initial access, and human error will still lead to security breaches, even if ZTNA is established.
For companies, one of the major challenges for establishing ZTNA will be ensuring that the tradeoffs in user experience are mitigated. Increased security measures can lead to increased frustrations for consumers, who may choose to turn to other services. Security should be paramount, but companies will have to ensure that their applications and services remain usable.